Ubuntu
openssh package

Merge ~enr0n/ubuntu/+source/openssh:generator-v3 into ubuntu/+source/openssh:ubuntu/devel

  1. Git
  2. lp:~enr0n/ubuntu/+source/openssh
  3. generator-v3
  4. Merge into ubuntu/devel
Proposed by Nick Rosbrook
Status: Merged
Merged at revision: f29f3057cc20e93124eef7e1034d72026601d3f1
Proposed branch: ~enr0n/ubuntu/+source/openssh:generator-v3
Merge into: ubuntu/+source/openssh:ubuntu/devel
Diff against target: 1585 lines (+572/-621)
29 files modified
debian/README.Debian (+12/-13)
debian/changelog (+27/-0)
debian/control (+1/-0)
debian/openssh-server.install (+2/-0)
debian/openssh-server.postinst (+27/-171)
debian/openssh-server.postrm (+0/-4)
debian/openssh-server.templates (+0/-12)
debian/openssh-server.ucf-md5sum (+6/-0)
debian/patches/series (+1/-1)
debian/patches/sshd-socket-generator.patch (+363/-0)
debian/po/cs.po (+1/-26)
debian/po/da.po (+1/-26)
debian/po/de.po (+1/-26)
debian/po/es.po (+1/-26)
debian/po/fr.po (+1/-26)
debian/po/it.po (+1/-26)
debian/po/ja.po (+1/-26)
debian/po/nl.po (+1/-26)
debian/po/pt.po (+1/-26)
debian/po/pt_BR.po (+1/-26)
debian/po/ru.po (+3/-28)
debian/po/sv.po (+1/-26)
debian/po/templates.pot (+2/-27)
debian/po/tr.po (+2/-27)
debian/rules (+1/-1)
debian/systemd/ssh.socket (+3/-1)
debian/tests/control (+6/-0)
debian/tests/sshd-socket-generator (+105/-0)
dev/null (+0/-50)
Reviewer Review Type Date Requested Status
Steve Langasek (community) Approve
Review via email: mp+460543@code.launchpad.net

Description of the change

Add sshd-socket-generator, which generates ListenStream= overrides by parsing sshd_config, rather than writing the override once on package upgrade.

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) :
review: Needs Fixing
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Thanks for reviewing, Steve. Replied to inline comments.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

And pushed new changes.

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks, you've addressed the fails-to-start-on-boot issue brilliantly, I didn't realize there was a solution for this in systemd unit syntax (and wonder whether FreeBind=yes shouldn't be the default?)

I can't think of any other blockers for this to be an unconditional switch to socket activation as multiple listen addresses was the only case where we didn't already do the upgrade automatically.

I'm going to tag in Robie from server for an additional review since he had good feedback on the first iteration of this and would be a good second set of eyes.

I have not done an in-depth review of the C code. Do you want that from me here?

Revision history for this message
Nick Rosbrook (enr0n) wrote :

> I have not done an in-depth review of the C code. Do you want that from me
> here?

The more review the better, but I understand your time is valuable :D

Revision history for this message
Nick Rosbrook (enr0n) :
Revision history for this message
Steve Langasek (vorlon) wrote :

Marking approved, others in the team can also review C code if you need it (and I know Debian upstream will give you a solid review when you forward this)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/README.Debian b/debian/README.Debian
2index 8067852..70c588f 100644
3--- a/debian/README.Debian
4+++ b/debian/README.Debian
5@@ -186,27 +186,26 @@ Socket-based activation with systemd
6
7 By default, socket-based activation is used on systems that use systemd.
8
9-The provided ssh.socket unit file sets ListenStream=22. If you need to have
10-it listen on a different address or port, then you will need to do this as
11-follows (modifying ListenStream to match your requirements):
12-
13- mkdir -p /etc/systemd/system/ssh.socket.d
14- cat >/etc/systemd/system/ssh.socket.d/listen.conf <<EOF
15- [Socket]
16- ListenStream=2222
17- EOF
18+The provided ssh.socket unit file sets ListenStream=22. A systemd generator,
19+sshd-socket-generator, parses the sshd configuration and, if non-default
20+ListenAddress(s) or Port(s) are configured, generates corresponding
21+ListenStream= lines in a drop-in configration file for ssh.socket. To change
22+the port or address ssh.socket is listening on, edit /etc/ssh/sshd_config (or
23+add a drop-in file to /etc/ssh/sshd_config.d/) as usual and then run:
24+
25 systemctl daemon-reload
26 systemctl restart ssh.socket
27
28 See systemd.socket(5) for details.
29
30 If you do not want to use socket activation for ssh on your system, you
31-can disable socket activation by running:
32+can disable socket activation by masking the generator and re-enabling
33+ssh.service:
34
35- systemctl disable --now ssh.socket
36- rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
37- rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
38+ mkdir -p /etc/systemd/system-generators/
39+ ln -s /dev/null /etc/systemd/system-generators/sshd-socket-generator
40 systemctl daemon-reload
41+ systemctl disable --now ssh.socket
42 systemctl enable --now ssh.service
43
44 Terminating SSH sessions cleanly on shutdown/reboot with systemd
45diff --git a/debian/changelog b/debian/changelog
46index eaaedcc..68dc34f 100644
47--- a/debian/changelog
48+++ b/debian/changelog
49@@ -1,3 +1,30 @@
50+openssh (1:9.6p1-3ubuntu3) noble; urgency=medium
51+
52+ * Add sshd-socket-generator to generate ssh.socket drop-in configuration
53+ instead of doing one-time generation on package upgrade:
54+ - debian/control: Build-Depends: systemd-dev
55+ - d/p/sshd-socket-generator.patch: add generator for socket activation
56+ - debian/openssh-server.install: install sshd-socket-generator
57+ - debian/openssh-server.postinst: handle migration to sshd-socket-generator
58+ - d/t/sshd-socket-generator: add dep8 test for sshd-socket-generator
59+ - ssh.socket: adjust unit for socket activation by default
60+ - debian/README.Debian: update ssh.socket documentation
61+ - debian/rules: explicitly enable LTO
62+ The armhf build was not using LTO, which made sshd-socket-generator FTBFS.
63+ This change ensures that all arches are using LTO.
64+ * Drop the following changes related to previous ssh socket activation approach:
65+ - debian/openssh-server.postrm: remove systemd drop-ins for
66+ socket-activated sshd on purge
67+ - debian/openssh-server.templates: include debconf prompt explaining
68+ when migration cannot happen due to multiple ListenAddress values
69+ - debian/openssh-server.postinst: handle migration of sshd_config options
70+ to systemd socket options on upgrade.
71+ - debian/patches/socket-activation-documentation.patch: Document in
72+ sshd_config(5) that ListenAddress and Port no longer work.
73+ * debian/openssh-server.ucf-md5sum: update for new Ubuntu delta
74+
75+ -- Nick Rosbrook <enr0n@ubuntu.com> Wed, 21 Feb 2024 12:51:30 -0500
76+
77 openssh (1:9.6p1-3ubuntu2) noble; urgency=medium
78
79 [ Marco Trevisan (Treviño) ]
80diff --git a/debian/control b/debian/control
81index e93b516..58e9a89 100644
82--- a/debian/control
83+++ b/debian/control
84@@ -20,6 +20,7 @@ Build-Depends: debhelper (>= 13.1~),
85 libwrap0-dev | libwrap-dev,
86 pkg-config,
87 zlib1g-dev,
88+ systemd-dev,
89 Standards-Version: 4.6.2
90 Uploaders: Colin Watson <cjwatson@debian.org>,
91 Matthew Vernon <matthew@debian.org>,
92diff --git a/debian/openssh-server.install b/debian/openssh-server.install
93index cf86dce..9942604 100755
94--- a/debian/openssh-server.install
95+++ b/debian/openssh-server.install
96@@ -19,3 +19,5 @@ debian/systemd/ssh-session-cleanup usr/lib/openssh
97 # dh_apport would be neater, but at the time of writing it isn't in unstable
98 # yet.
99 debian/openssh-server.apport => usr/share/apport/package-hooks/openssh-server.py
100+
101+usr/lib/systemd/system-generators/sshd-socket-generator
102diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
103index cb9a301..251f11c 100644
104--- a/debian/openssh-server.postinst
105+++ b/debian/openssh-server.postinst
106@@ -17,87 +17,6 @@ get_config_option() {
107 /usr/sbin/sshd -G | sed -n "s/^$option //Ip"
108 }
109
110-get_config_option_all() {
111- option="$1"
112- file="$2"
113-
114- if [ -z "$file" ]; then
115- file=/etc/ssh/sshd_config
116- fi
117-
118- [ -f "$file" ] || return 0
119- # ListenAddress and Port only take a single word argument so anything
120- # after this must be a comment
121- while read option2 value junk; do
122- case $option2 in
123- $option)
124- echo $value
125- ;;
126- Include)
127- # globs
128- for f in $value; do
129- get_config_option_all "$option" "$f"
130- done
131- ;;
132- esac
133- done < $file
134-}
135-
136-hostnames_to_addresses() {
137- addresses="$1"
138- for address in $addresses; do
139- address_no_port="$(address_strip_port $address)"
140- if echo "$address_no_port" | grep -q '^[0-9a-f:]\+$\|^[0-9.]\+$'; then
141- numeric_addresses="$numeric_addresses $address"
142- else
143- new_addresses=$( (getent ahostsv4 $address_no_port;
144- getent ahostsv6 $address_no_port) \
145- | awk '$1 ~ /^::ffff:/ || $2 != "STREAM" { next; }
146- $1 ~ /:/ { print "[" $1 "]"; next; }
147- { print $1 }' \
148- | sort -u)
149- port="$(port_from_address $address)"
150- if [ -n "$port" ]; then
151- new_addresses="$(for addr in $new_addresses; do echo $addr:$port; done)"
152- fi
153- numeric_addresses="$numeric_addresses $new_addresses"
154- fi
155- done
156- echo "$numeric_addresses"
157-}
158-
159-port_from_address() {
160- address="$1"
161- if echo $address | grep -q '^\[[0-9a-f:]*\]:'; then
162- # This is an IPv6 address with a port.
163- port="$(echo $address | awk -F':' '{print $NF}')"
164- elif echo $address | grep -q '^\[[0-9a-f:]*\]\+$\|^[0-9a-f:]\+$'; then
165- # This is an IPv6 address without a port.
166- port=""
167- else
168- # This is an IPv4 address or hostname, where the port
169- # may or may not be specified.
170- port="$(echo $address | awk -F':' '{print $2}')"
171- fi
172- echo "$port"
173-}
174-
175-address_strip_port() {
176- address="$1"
177- if echo $address | grep -q '^\[[0-9a-f:]*\]\(:\|$\)'; then
178- # This is an IPv6 address in brackets, with or without a port.
179- address_no_port="$(echo $address | awk -F '[][]' '{print $2}')"
180- elif echo $address | grep -q '^[0-9a-f:]\+$'; then
181- # This is an IPv6 address with no brackets and no port.
182- address_no_port="$address"
183- else
184- # This is an IPv4 address or hostname, where the port
185- # may or may not be specified.
186- address_no_port="$(echo $address | awk -F':' '{print $1}')"
187- fi
188- echo "$address_no_port"
189-}
190-
191
192 create_key() {
193 msg="$1"
194@@ -211,102 +130,39 @@ if [ "$action" = configure ]; then
195 # which we now move back into place.
196 mv /etc/ssh/moduli.dpkg-bak /etc/ssh/moduli
197 fi
198- if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu8~
199- then
200- # migrate to systemd socket activation.
201- addresses=$(get_config_option_all ListenAddress)
202- addresses=$(hostnames_to_addresses "$addresses")
203- ports=$(get_config_option_all Port)
204- if [ -n "$addresses$ports" ]
205- then
206- override_dir=/etc/systemd/system/ssh.socket.d
207- mkdir -p "$override_dir"
208- echo '[Socket]' > "$override_dir"/addresses.conf.new
209- echo 'ListenStream=' >> "$override_dir"/addresses.conf.new
210- fi
211- if [ -n "$addresses" ]; then
212- [ -n "$ports" ] || ports=22
213- count=0
214- for address in $addresses; do
215- count=$((count+1))
216- port_from_address="$(port_from_address $address)"
217- if [ -z "$port_from_address" ]; then
218- for port in $ports; do
219- echo "ListenStream=$address:$port" \
220- >> "$override_dir"/addresses.conf.new
221- done
222- else
223- echo "ListenStream=$address" \
224- >> "$override_dir"/addresses.conf.new
225- fi
226- done
227- if [ $count -gt 1 ]; then
228- db_input critical openssh-server/listenstream-may-fail || true
229- db_go || true
230- rm -f "$override_dir"/addresses.conf.new
231- rmdir --ignore-fail-on-non-empty "$override_dir"
232- NO_SOCKET_MIGRATION=1
233- fi
234- elif [ -n "$ports" ]; then
235- for port in $ports; do
236- echo "ListenStream=$port" \
237- >> "$override_dir"/addresses.conf.new
238- done
239- fi
240-
241- if [ -z "$NO_SOCKET_MIGRATION" ] && [ -n "$addresses$ports" ]
242- then
243- mv "$override_dir"/addresses.conf.new \
244- "$override_dir"/addresses.conf
245- fi
246- fi
247- if dpkg --compare-versions "$2" lt 1:9.0p1-1ubuntu5~; then
248- if [ -z "$NO_SOCKET_MIGRATION" ]; then
249- override_dir=/etc/systemd/system/ssh.service.d
250- mkdir -p "$override_dir"
251- echo '[Unit]' > "$override_dir"/00-socket.conf
252- echo 'After=ssh.socket' >> "$override_dir"/00-socket.conf
253- echo 'Requires=ssh.socket' >> "$override_dir"/00-socket.conf
254-
255- # deb-systemd-helper is inadequate for the task of
256- # changing policy for the units on upgrade
257- if [ -d /run/systemd/system ]; then
258- systemctl daemon-reload
259- systemctl disable ssh.service
260- systemctl unmask ssh.service
261- systemctl stop ssh.service
262- systemctl enable ssh.socket
263- fi
264- fi
265- fi
266-
267- # Revert socket migration if we can determine the user hit
268- # LP: #1993478.
269- if dpkg --compare-versions "$2" lt-nl 1:9.0p1-1ubuntu7~ \
270- && [ -e /etc/systemd/system/ssh.socket.d/addresses.conf ] \
271- && [ -e /etc/systemd/system/ssh.service.d/00-socket.conf ] \
272- && [ -n "$NO_SOCKET_MIGRATION" ]; then
273- rm /etc/systemd/system/ssh.socket.d/addresses.conf
274- rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d
275- rm /etc/systemd/system/ssh.service.d/00-socket.conf
276- rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d
277- if [ -d /run/systemd/system ]; then
278- systemctl daemon-reload
279- systemctl disable ssh.socket
280- systemctl stop ssh.socket
281- systemctl enable ssh.service
282- fi
283+ if dpkg --compare-versions "$2" lt-nl 1:9.6p1-3ubuntu3~; then
284+ # Remove old socket activation drop-in configurations, if they exist.
285+ if [ -d /etc/systemd/system/ssh.socket.d ]; then
286+ rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
287+ rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.socket.d
288+ fi
289+ if [ -d /etc/systemd/system/ssh.service.d ]; then
290+ rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
291+ rmdir --ignore-fail-on-non-empty /etc/systemd/system/ssh.service.d
292+ fi
293+ if [ -d /run/systemd/system ]; then
294+ # Make sure ssh.service is disabled.
295+ systemctl unmask ssh.service
296+ systemctl disable --now ssh.service > /dev/null 2>&1
297+
298+ # sshd-socket-generator is invoked on daemon-reload.
299+ systemctl daemon-reload
300+ systemctl enable ssh.socket
301+ fi
302 fi
303 fi
304
305 #DEBHELPER#
306
307 if [ -d /run/systemd/system ]; then
308- if deb-systemd-helper --quiet was-enabled ssh.socket; then
309- deb-systemd-invoke restart ssh.socket
310- elif deb-systemd-helper --quiet was-enabled ssh.service; then
311- deb-systemd-invoke restart ssh.service
312- fi
313+ # sshd-socket-generator is invoked on daemon-reload.
314+ systemctl daemon-reload
315+
316+ if deb-systemd-helper --quiet was-enabled ssh.socket; then
317+ deb-systemd-invoke restart ssh.socket
318+ elif deb-systemd-helper --quiet was-enabled ssh.service; then
319+ deb-systemd-invoke restart ssh.service
320+ fi
321 fi
322
323 db_stop
324diff --git a/debian/openssh-server.postrm b/debian/openssh-server.postrm
325index 46798dd..fbaeb17 100644
326--- a/debian/openssh-server.postrm
327+++ b/debian/openssh-server.postrm
328@@ -23,10 +23,6 @@ case $1 in
329 if command -v ucfr >/dev/null 2>&1; then
330 ucfr --purge openssh-server /etc/ssh/sshd_config
331 fi
332- rm -f /etc/systemd/system/ssh.service.d/00-socket.conf
333- rm -f /etc/systemd/system/ssh.socket.d/addresses.conf
334- rmdir /etc/systemd/system/ssh.service.d || true
335- rmdir /etc/systemd/system/ssh.socket.d || true
336 rm -f /etc/ssh/sshd_not_to_be_run
337 [ ! -d /etc/ssh ] || rmdir --ignore-fail-on-non-empty /etc/ssh
338
339diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
340index 31f2935..e071fe3 100644
341--- a/debian/openssh-server.templates
342+++ b/debian/openssh-server.templates
343@@ -21,15 +21,3 @@ Description: Allow password authentication?
344 By default, the SSH server will allow authenticating using a password.
345 You may want to change this if all users on this system authenticate using
346 a stronger authentication method, such as public keys.
347-
348-Template: openssh-server/listenstream-may-fail
349-Type: error
350-_Description: Not migrating to socket activation
351- This version of openssh-server uses socket-based activation by default.
352- However, because you have more than one ListenAddress configured in
353- sshd_config, it is impossible to determine at upgrade time if migrating
354- you to socket-based activation would cause the starting of sshd at boot
355- to be unreliable.
356- .
357- Because a failure to start ssh may make it impossible to admininister a
358- system, you will not be migrated to socket-based activation at this time.
359diff --git a/debian/openssh-server.ucf-md5sum b/debian/openssh-server.ucf-md5sum
360index 9a8efb6..b2c0ac3 100644
361--- a/debian/openssh-server.ucf-md5sum
362+++ b/debian/openssh-server.ucf-md5sum
363@@ -132,3 +132,9 @@ fac56840f6697a357368bb878dd8fb87
364 d01da8c9de75176095712d4e37d5dcd5
365 e4898846045f33b8d99d3263d6f6fd81
366 ec46dc59ba9c9e9458add405264fcedd
367+
368+# From 1:9.6p1-3ubuntu3
369+b8e751f62cf86a18bc30cdaae494b03f
370+b89c8626d43128cdb233536439e00566
371+5f589fb3658df8cb7cce8505cf821e40
372+8d7588b06f81ef23bea8d84442af8e68
373diff --git a/debian/patches/series b/debian/patches/series
374index aba5430..3d5c5c8 100644
375--- a/debian/patches/series
376+++ b/debian/patches/series
377@@ -26,10 +26,10 @@ maxhostnamelen.patch
378 conch-ssh-rsa.patch
379 systemd-socket-activation.patch
380 broken-zero-call-used-regs.patch
381-socket-activation-documentation.patch
382 test-set-UsePAM-no-on-some-tests.patch
383 auth-Add-KbdintResult-definition-to-define-result-values-.patch
384 auth-pam-Add-an-enum-to-define-the-PAM-done-status.patch
385 auth-pam-Add-debugging-information-when-we-receive-PAM-me.patch
386 auth-pam-Immediately-report-interactive-instructions-to-c.patch
387 sshconnect2-Write-kbd-interactive-service-info-and-instru.patch
388+sshd-socket-generator.patch
389diff --git a/debian/patches/socket-activation-documentation.patch b/debian/patches/socket-activation-documentation.patch
390deleted file mode 100644
391index 9afde55..0000000
392--- a/debian/patches/socket-activation-documentation.patch
393+++ /dev/null
394@@ -1,50 +0,0 @@
395-Index: openssh-9.0p1/sshd_config.5
396-===================================================================
397---- openssh-9.0p1.orig/sshd_config.5
398-+++ openssh-9.0p1/sshd_config.5
399-@@ -1069,6 +1069,15 @@
400- Multiple
401- .Cm ListenAddress
402- options are permitted.
403-+.Pp
404-+.Cm Note:
405-+On Ubuntu, the openssh-server package is configured to use systemd
406-+socket-based activation by default. Therefore if you are using systemd with
407-+the default configuration,
408-+.Cm ListenAddress
409-+options will not be honored. Address configuration must be handled in
410-+.Pa /etc/systemd/system/ssh.socket.d
411-+instead.
412- .It Cm LoginGraceTime
413- The server disconnects after this time if the user has not
414- successfully logged in.
415-@@ -1520,6 +1529,15 @@
416- Multiple options of this type are permitted.
417- See also
418- .Cm ListenAddress .
419-+.Pp
420-+.Cm Note:
421-+On Ubuntu, the openssh-server package is configured to use systemd
422-+socket-based activation by default. Therefore if you are using systemd with
423-+the default configuration,
424-+.Cm Port
425-+options will not be honored. Address configuration must be handled in
426-+.Pa /etc/systemd/system/ssh.socket.d
427-+instead.
428- .It Cm PrintLastLog
429- Specifies whether
430- .Xr sshd 8
431-Index: openssh-9.0p1/sshd_config
432-===================================================================
433---- openssh-9.0p1.orig/sshd_config
434-+++ openssh-9.0p1/sshd_config
435-@@ -12,6 +12,9 @@
436-
437- Include /etc/ssh/sshd_config.d/*.conf
438-
439-+# Port and ListenAddress options are not used when sshd is socket-activated,
440-+# which is now the default in Ubuntu. See sshd_config(5) and
441-+# /usr/share/doc/openssh-server/README.Debian.gz for details.
442- #Port 22
443- #AddressFamily any
444- #ListenAddress 0.0.0.0
445diff --git a/debian/patches/sshd-socket-generator.patch b/debian/patches/sshd-socket-generator.patch
446new file mode 100644
447index 0000000..ae3692c
448--- /dev/null
449+++ b/debian/patches/sshd-socket-generator.patch
450@@ -0,0 +1,363 @@
451+--- /dev/null
452++++ b/sshd-socket-generator.c
453+@@ -0,0 +1,290 @@
454++#include <errno.h>
455++#include <linux/limits.h>
456++#include <netdb.h>
457++#include <stdbool.h>
458++#include <stdio.h>
459++#include <stdlib.h>
460++#include <string.h>
461++#include <sys/socket.h>
462++#include <sys/stat.h>
463++#include <sys/types.h>
464++
465++#include "includes.h"
466++
467++#include "hostfile.h" /* Needs to be included before auth.h */
468++#include "auth.h"
469++#include "kex.h"
470++#include "log.h"
471++#include "misc.h"
472++#include "monitor.h"
473++#include "ssh-gss.h" /* Needs to be included before monitor_wrap.h */
474++#include "monitor_wrap.h"
475++#include "pathnames.h"
476++#include "servconf.h"
477++#include "sshbuf.h"
478++
479++#define MAX_LISTEN_STREAMS (16)
480++#define MAX_LISTEN_STREAM_LEN (NI_MAXHOST + NI_MAXSERV + sizeof("ListenAddress=[:]") + 1)
481++typedef char listen_stream_set[MAX_LISTEN_STREAMS][MAX_LISTEN_STREAM_LEN];
482++
483++/* Global variables required for sshd config parsing. */
484++ServerOptions options = {};
485++struct sshbuf *cfg = NULL;
486++struct include_list includes = TAILQ_HEAD_INITIALIZER(includes);
487++
488++/* Other global variables that are required for this to build, because of their
489++ * use throughout the codebase. We do NOT use these variables for the
490++ * generator. */
491++Authctxt *the_authctxt = NULL;
492++int privsep_is_preauth = 1;
493++int use_privsep = -1;
494++struct monitor *pmonitor = NULL;
495++struct ssh *the_active_state = NULL;
496++struct sshauthopt *auth_opts = NULL;
497++struct sshbuf *loginmsg = NULL;
498++
499++static int listen_stream_set_append(listen_stream_set set, const char *listen_stream) {
500++ size_t n;
501++
502++ if (!set)
503++ return -EINVAL;
504++
505++ n = strnlen(listen_stream, MAX_LISTEN_STREAM_LEN);
506++ if (n == MAX_LISTEN_STREAM_LEN)
507++ return -EINVAL;
508++
509++ for (int i = 0; i < MAX_LISTEN_STREAMS; i++) {
510++ if (strcmp(set[i], listen_stream) == 0)
511++ return 0;
512++
513++ if (strnlen(set[i], MAX_LISTEN_STREAM_LEN) > 0)
514++ continue;
515++
516++ memcpy(set[i], listen_stream, n);
517++
518++ return 0;
519++ }
520++
521++ return -E2BIG;
522++}
523++
524++static int listen_stream_set_len(listen_stream_set set) {
525++ int r = 0;
526++
527++ if (!set)
528++ return 0;
529++
530++ for (int i = 0; i < MAX_LISTEN_STREAMS; i++) {
531++ if (strnlen(set[i], MAX_LISTEN_STREAM_LEN) > 0)
532++ r++;
533++ else
534++ break;
535++ }
536++
537++ return r;
538++}
539++
540++static char *path_append(const char *base, const char *append) {
541++ bool add_slash;
542++ size_t n = 0, len_base, len_append;
543++ char *path = NULL;
544++
545++ len_base = strnlen(base, PATH_MAX);
546++ len_append = strnlen(append, PATH_MAX);
547++ add_slash = base[len_base - 1] != '/';
548++
549++ path = calloc(len_base + len_append + (add_slash ? 2 : 1), sizeof(char));
550++ if (!path)
551++ return NULL;
552++
553++ memcpy(path, base, len_base);
554++ n += len_base;
555++
556++ if (add_slash)
557++ path[n++] = '/';
558++
559++ memcpy(path + n, append, len_append);
560++ n += len_append;
561++ path[n] = '\0';
562++
563++ return path;
564++}
565++
566++static int fflush_and_check(FILE *f) {
567++ errno = 0;
568++ fflush(f);
569++
570++ if (ferror(f))
571++ return errno > 0 ? -errno : -EIO;
572++
573++ return 0;
574++}
575++
576++static int write_systemd_socket_file(const char *destdir) {
577++ listen_stream_set listen_streams = {};
578++ int num_listen_streams;
579++ char *conf = NULL, *overridedir = NULL;
580++ FILE *f = NULL;
581++ int r;
582++
583++ overridedir = path_append(destdir, "ssh.socket.d");
584++ if (!overridedir) {
585++ r = -ENOMEM;
586++ goto out;
587++ }
588++
589++ if (mkdir(overridedir, 0755) < 0 && errno != EEXIST) {
590++ r = -errno;
591++ goto out;
592++ }
593++
594++ conf = path_append(overridedir, "addresses.conf");
595++ if (!conf) {
596++ r = -ENOMEM;
597++ goto out;
598++ }
599++
600++ f = fopen(conf, "we");
601++ if (!f) {
602++ r = -errno;
603++ goto out;
604++ }
605++
606++ fprintf(f,
607++ "# Automatically generated by sshd-socket-generator\n"
608++ "\n[Socket]\n"
609++ "ListenStream=\n");
610++
611++ for (u_int i = 0; i < options.num_listen_addrs; i++) {
612++ for (struct addrinfo *ai = options.listen_addrs[i].addrs; ai; ai = ai->ai_next) {
613++ char addr[NI_MAXHOST] = {}, port[NI_MAXSERV] = {},
614++ listen_stream[MAX_LISTEN_STREAM_LEN] = {};
615++
616++ r = getnameinfo(ai->ai_addr, ai->ai_addrlen,
617++ addr, sizeof(addr),
618++ port, sizeof(port),
619++ NI_NUMERICHOST|NI_NUMERICSERV);
620++ if (r != 0) {
621++ fprintf(stderr, "%s\n", gai_strerror(r));
622++ r = r == EAI_SYSTEM ? -errno : -EINVAL;
623++ goto out;
624++ }
625++
626++ if (strcmp(addr, "0.0.0.0") == 0 || strcmp(addr, "::") == 0) {
627++ if (strcmp(port, "22") == 0)
628++ /* No need to override. This is the
629++ * default in ssh.socket. */
630++ continue;
631++
632++ /* If ListenAddress is 0.0.0.0 or ::, only
633++ * write the port in ListenStream=. */
634++ snprintf(listen_stream,
635++ MAX_LISTEN_STREAM_LEN,
636++ "ListenStream=%s",
637++ port);
638++ } else
639++ snprintf(listen_stream,
640++ MAX_LISTEN_STREAM_LEN,
641++ "ListenStream=%s%s%s:%s",
642++ ai->ai_family == AF_INET6 ? "[" : "",
643++ addr,
644++ ai->ai_family == AF_INET6 ? "]" : "",
645++ port);
646++
647++ r = listen_stream_set_append(listen_streams, listen_stream);
648++ if (r < 0)
649++ goto out;
650++ }
651++ }
652++
653++ num_listen_streams = listen_stream_set_len(listen_streams);
654++
655++ if (num_listen_streams <= 0) {
656++ /* We didn't generate anything useful, so clean up and leave
657++ * ssh.socket as-is. */
658++ r = -ENODATA;
659++ goto out;
660++ }
661++
662++ for (int i = 0; i < num_listen_streams; i++)
663++ fprintf(f, "%s\n", listen_streams[i]);
664++
665++ r = fflush_and_check(f);
666++ if (r < 0)
667++ goto out;
668++
669++out:
670++ if (f)
671++ fclose(f);
672++
673++ if (r < 0) {
674++ (void) remove(conf);
675++ (void) remove(overridedir);
676++ }
677++
678++ free(overridedir);
679++ free(conf);
680++
681++ return r;
682++}
683++
684++static int parse_sshd_config_options() {
685++ struct connection_info *connection_info;
686++
687++ cfg = sshbuf_new();
688++ if (!cfg)
689++ return -ENOMEM;
690++
691++ initialize_server_options(&options);
692++ load_server_config(_PATH_SERVER_CONFIG_FILE, cfg);
693++ parse_server_config(&options, _PATH_SERVER_CONFIG_FILE, cfg, &includes, NULL, 0);
694++ fill_default_server_options(&options);
695++
696++ connection_info = get_connection_info(NULL, 0, 0);
697++ connection_info->test = 1;
698++
699++ parse_server_match_config(&options, &includes, connection_info);
700++
701++ return 0;
702++}
703++
704++int main(int argc, char **argv) {
705++ const char *destdir = NULL;
706++ int r;
707++
708++ if (argc < 2) {
709++ fprintf(stderr, "Expected at least one argument.\n");
710++
711++ return EXIT_FAILURE;
712++ }
713++
714++ destdir = argv[1];
715++
716++ r = parse_sshd_config_options();
717++ if (r < 0) {
718++ fprintf(stderr, "Faild to parse sshd config: %s\n", strerror(-r));
719++
720++ return EXIT_FAILURE;
721++ }
722++
723++ if (options.num_listen_addrs <= 0) {
724++ /* No listen addresses configured? Don't generate anything. */
725++ fprintf(stderr, "No listen addresses configured. Will not generate anything.\n");
726++
727++ return EXIT_SUCCESS;
728++ }
729++
730++ r = write_systemd_socket_file(destdir);
731++ if (r == -ENODATA) {
732++ fprintf(stderr, "No custom listen addresses configured. Will not generated anything.\n");
733++
734++ return EXIT_SUCCESS;
735++ }
736++ if (r < 0) {
737++ fprintf(stderr, "Failed to generate ssh.socket: %s\n", strerror(-r));
738++
739++ return EXIT_FAILURE;
740++ }
741++
742++ return EXIT_SUCCESS;
743++}
744+--- a/Makefile.in
745++++ b/Makefile.in
746+@@ -17,6 +17,7 @@
747+ top_srcdir=@top_srcdir@
748+ abs_top_srcdir=@abs_top_srcdir@
749+ abs_top_builddir=@abs_top_builddir@
750++systemd_system_generator_dir=$(shell pkg-config --variable=systemd_system_generator_dir systemd)
751+
752+ DESTDIR=
753+ VPATH=@srcdir@
754+@@ -69,7 +70,7 @@
755+
756+ .SUFFIXES: .lo
757+
758+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
759++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) sshd-socket-generator$(EXEEXT)
760+
761+ XMSS_OBJS=\
762+ ssh-xmss.o \
763+@@ -134,6 +135,16 @@
764+ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
765+ sandbox-solaris.o uidswap.o $(SKOBJS)
766+
767++SSHD_SOCKET_GEN_OBJS=sshd-socket-generator.o \
768++ platform.o servconf.o groupaccess.o audit.o audit-linux.o \
769++ auth2.o auth2-none.o auth2-gss.o \
770++ auth2-passwd.o auth2-kbdint.o auth2-hostbased.o \
771++ auth-options.o uidswap.o auth2-pubkey.o auth.o \
772++ auth2-pubkeyfile.o auth-rhosts.o auth-passwd.o \
773++ gss-serv.o auth2-chall.o auth-pam.o gss-serv-krb5.o \
774++ loginrec.o auth-krb5.o auth-shadow.o \
775++ monitor.o monitor_wrap.o
776++
777+ SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o
778+
779+ SCP_OBJS= scp.o progressmeter.o $(SFTP_CLIENT_OBJS)
780+@@ -210,6 +221,9 @@
781+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
782+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
783+
784++sshd-socket-generator$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SOCKET_GEN_OBJS)
785++ $(LD) -o $@ $(SSHD_SOCKET_GEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
786++
787+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
788+ $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
789+
790+@@ -392,6 +406,7 @@
791+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
792+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
793+ $(MKDIR_P) $(DESTDIR)$(libexecdir)
794++ $(MKDIR_P) $(DESTDIR)$(systemd_system_generator_dir)
795+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
796+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
797+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
798+@@ -421,6 +436,7 @@
799+ $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
800+ $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
801+ $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8
802++ $(INSTALL) -m 0755 $(STRIP_OPT) sshd-socket-generator$(EXEEXT) $(DESTDIR)$(systemd_system_generator_dir)/sshd-socket-generator$(EXEEXT)
803+
804+ install-sysconf:
805+ $(MKDIR_P) $(DESTDIR)$(sysconfdir)
806+@@ -478,6 +494,7 @@
807+ -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
808+ -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
809+ -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
810++ -rm -f $(DESTDIR)$(systemd_system_generator_dir)/sshd-socket-generator$(EXEEXT)
811+ -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
812+ -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
813+ -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
814diff --git a/debian/po/cs.po b/debian/po/cs.po
815index 21b4c7b..d01e0ff 100644
816--- a/debian/po/cs.po
817+++ b/debian/po/cs.po
818@@ -7,7 +7,7 @@ msgid ""
819 msgstr ""
820 "Project-Id-Version: openssh 1:6.6p1-1\n"
821 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
822-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
823+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
824 "PO-Revision-Date: 2014-06-12 12:25+0200\n"
825 "Last-Translator: Michal Simunek <michal.simunek@gmail.com>\n"
826 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
827@@ -53,28 +53,3 @@ msgstr ""
828 "poškodit systémy, které jsou nastaveny s předpokladem, že bude možné se "
829 "přihlašovat přes SSH jako root pomocí ověřování heslem. Změnu této volby "
830 "byste měli provést pouze pokud ověřování heslem potřebujete."
831-
832-#. Type: error
833-#. Description
834-#: ../openssh-server.templates:3001
835-msgid "Not migrating to socket activation"
836-msgstr ""
837-
838-#. Type: error
839-#. Description
840-#: ../openssh-server.templates:3001
841-msgid ""
842-"This version of openssh-server uses socket-based activation by default. "
843-"However, because you have more than one ListenAddress configured in "
844-"sshd_config, it is impossible to determine at upgrade time if migrating you "
845-"to socket-based activation would cause the starting of sshd at boot to be "
846-"unreliable."
847-msgstr ""
848-
849-#. Type: error
850-#. Description
851-#: ../openssh-server.templates:3001
852-msgid ""
853-"Because a failure to start ssh may make it impossible to admininister a "
854-"system, you will not be migrated to socket-based activation at this time."
855-msgstr ""
856diff --git a/debian/po/da.po b/debian/po/da.po
857index a08ca3b..70d576d 100644
858--- a/debian/po/da.po
859+++ b/debian/po/da.po
860@@ -7,7 +7,7 @@ msgid ""
861 msgstr ""
862 "Project-Id-Version: openssh\n"
863 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
864-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
865+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
866 "PO-Revision-Date: 2014-03-21 23:51+0200\n"
867 "Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
868 "Language-Team: Danish <debian-l10n-danish@lists.debian.org>\n"
869@@ -53,28 +53,3 @@ msgstr ""
870 "Det kan dog ødelægge systemer, som er opsat med forventning om at kunne SSH "
871 "som root via brug af adgangskodegodkendelse. Du skal kun lave denne ændring, "
872 "hvis du ikke har brug for dette."
873-
874-#. Type: error
875-#. Description
876-#: ../openssh-server.templates:3001
877-msgid "Not migrating to socket activation"
878-msgstr ""
879-
880-#. Type: error
881-#. Description
882-#: ../openssh-server.templates:3001
883-msgid ""
884-"This version of openssh-server uses socket-based activation by default. "
885-"However, because you have more than one ListenAddress configured in "
886-"sshd_config, it is impossible to determine at upgrade time if migrating you "
887-"to socket-based activation would cause the starting of sshd at boot to be "
888-"unreliable."
889-msgstr ""
890-
891-#. Type: error
892-#. Description
893-#: ../openssh-server.templates:3001
894-msgid ""
895-"Because a failure to start ssh may make it impossible to admininister a "
896-"system, you will not be migrated to socket-based activation at this time."
897-msgstr ""
898diff --git a/debian/po/de.po b/debian/po/de.po
899index 2536ea4..ecba54b 100644
900--- a/debian/po/de.po
901+++ b/debian/po/de.po
902@@ -8,7 +8,7 @@ msgid ""
903 msgstr ""
904 "Project-Id-Version: openssh_1:6.6p1-1\n"
905 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
906-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
907+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
908 "PO-Revision-Date: 2014-03-24 22:21+0100\n"
909 "Last-Translator: Stephan Beck <sbeck@mailbox.org>\n"
910 "Language-Team: Debian German translation team <debian-l10n-german@lists."
911@@ -59,28 +59,3 @@ msgstr ""
912 "in der Absicht konfiguriert wurden, die Anmeldung als »root« über SSH unter "
913 "Verwendung von Passwort-Authentifizierung zuzulassen. Sie sollten diese "
914 "Änderung nur vornehmen, wenn Sie auf Letzteres verzichten können."
915-
916-#. Type: error
917-#. Description
918-#: ../openssh-server.templates:3001
919-msgid "Not migrating to socket activation"
920-msgstr ""
921-
922-#. Type: error
923-#. Description
924-#: ../openssh-server.templates:3001
925-msgid ""
926-"This version of openssh-server uses socket-based activation by default. "
927-"However, because you have more than one ListenAddress configured in "
928-"sshd_config, it is impossible to determine at upgrade time if migrating you "
929-"to socket-based activation would cause the starting of sshd at boot to be "
930-"unreliable."
931-msgstr ""
932-
933-#. Type: error
934-#. Description
935-#: ../openssh-server.templates:3001
936-msgid ""
937-"Because a failure to start ssh may make it impossible to admininister a "
938-"system, you will not be migrated to socket-based activation at this time."
939-msgstr ""
940diff --git a/debian/po/es.po b/debian/po/es.po
941index 14550d6..de8a67a 100644
942--- a/debian/po/es.po
943+++ b/debian/po/es.po
944@@ -28,7 +28,7 @@ msgid ""
945 msgstr ""
946 "Project-Id-Version: openssh\n"
947 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
948-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
949+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
950 "PO-Revision-Date: 2014-03-23 20:43-0300\n"
951 "Last-Translator: Matías Bellone <matiasbellone+debian@gmail.com>\n"
952 "Language-Team: Debian l10n Spanish <debian-l10n-spanish@lists.debian.org>\n"
953@@ -78,28 +78,3 @@ msgstr ""
954 "configuración permite que el usuario root inicie sesión a través de SSH "
955 "utilizando una contraseña. Sólo debería realizar este cambio si no necesita "
956 "este comportamiento."
957-
958-#. Type: error
959-#. Description
960-#: ../openssh-server.templates:3001
961-msgid "Not migrating to socket activation"
962-msgstr ""
963-
964-#. Type: error
965-#. Description
966-#: ../openssh-server.templates:3001
967-msgid ""
968-"This version of openssh-server uses socket-based activation by default. "
969-"However, because you have more than one ListenAddress configured in "
970-"sshd_config, it is impossible to determine at upgrade time if migrating you "
971-"to socket-based activation would cause the starting of sshd at boot to be "
972-"unreliable."
973-msgstr ""
974-
975-#. Type: error
976-#. Description
977-#: ../openssh-server.templates:3001
978-msgid ""
979-"Because a failure to start ssh may make it impossible to admininister a "
980-"system, you will not be migrated to socket-based activation at this time."
981-msgstr ""
982diff --git a/debian/po/fr.po b/debian/po/fr.po
983index 7d7093b..f7125e9 100644
984--- a/debian/po/fr.po
985+++ b/debian/po/fr.po
986@@ -7,7 +7,7 @@ msgid ""
987 msgstr ""
988 "Project-Id-Version: openssh_1:6.5p1-6\n"
989 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
990-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
991+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
992 "PO-Revision-Date: 2014-03-22 08:26+0100\n"
993 "Last-Translator: Étienne Gilli <etienne.gilli@gmail.com>\n"
994 "Language-Team: French <debian-l10n-french@lists.debian.org>\n"
995@@ -57,28 +57,3 @@ msgstr ""
996 "inutilisables les systèmes reposant sur la possibilité de se connecter au "
997 "compte « root » par SSH avec authentification par mot de passe. Vous ne "
998 "devriez appliquer cette modification que si ce n’est pas votre cas."
999-
1000-#. Type: error
1001-#. Description
1002-#: ../openssh-server.templates:3001
1003-msgid "Not migrating to socket activation"
1004-msgstr ""
1005-
1006-#. Type: error
1007-#. Description
1008-#: ../openssh-server.templates:3001
1009-msgid ""
1010-"This version of openssh-server uses socket-based activation by default. "
1011-"However, because you have more than one ListenAddress configured in "
1012-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1013-"to socket-based activation would cause the starting of sshd at boot to be "
1014-"unreliable."
1015-msgstr ""
1016-
1017-#. Type: error
1018-#. Description
1019-#: ../openssh-server.templates:3001
1020-msgid ""
1021-"Because a failure to start ssh may make it impossible to admininister a "
1022-"system, you will not be migrated to socket-based activation at this time."
1023-msgstr ""
1024diff --git a/debian/po/it.po b/debian/po/it.po
1025index 5390795..dd71060 100644
1026--- a/debian/po/it.po
1027+++ b/debian/po/it.po
1028@@ -6,7 +6,7 @@ msgid ""
1029 msgstr ""
1030 "Project-Id-Version: openssh\n"
1031 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1032-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1033+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1034 "PO-Revision-Date: 2014-03-28 11:12+0200\n"
1035 "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
1036 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
1037@@ -56,28 +56,3 @@ msgstr ""
1038 "impostati facendo affidamento sulla possibilità di autenticazione SSH come "
1039 "root usando la password. Si dovrebbe fare questo cambiamento solo se non si "
1040 "ha bisogno di tale comportamento."
1041-
1042-#. Type: error
1043-#. Description
1044-#: ../openssh-server.templates:3001
1045-msgid "Not migrating to socket activation"
1046-msgstr ""
1047-
1048-#. Type: error
1049-#. Description
1050-#: ../openssh-server.templates:3001
1051-msgid ""
1052-"This version of openssh-server uses socket-based activation by default. "
1053-"However, because you have more than one ListenAddress configured in "
1054-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1055-"to socket-based activation would cause the starting of sshd at boot to be "
1056-"unreliable."
1057-msgstr ""
1058-
1059-#. Type: error
1060-#. Description
1061-#: ../openssh-server.templates:3001
1062-msgid ""
1063-"Because a failure to start ssh may make it impossible to admininister a "
1064-"system, you will not be migrated to socket-based activation at this time."
1065-msgstr ""
1066diff --git a/debian/po/ja.po b/debian/po/ja.po
1067index b48d281..db382f1 100644
1068--- a/debian/po/ja.po
1069+++ b/debian/po/ja.po
1070@@ -7,7 +7,7 @@ msgid ""
1071 msgstr ""
1072 "Project-Id-Version: openssh\n"
1073 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1074-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1075+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1076 "PO-Revision-Date: 2014-03-20 11:06+0900\n"
1077 "Last-Translator: victory <victory.deb@gmail.com>\n"
1078 "Language-Team: Japanese <debian-japanese@lists.debian.org>\n"
1079@@ -53,28 +53,3 @@ msgstr ""
1080 "ます。しかしパスワード認証により root で SSH 接続できることを前提として構成し"
1081 "たシステムでは問題が発生する可能性があります。そういった必要のない場合にのみ"
1082 "この変更を行うようにしてください。"
1083-
1084-#. Type: error
1085-#. Description
1086-#: ../openssh-server.templates:3001
1087-msgid "Not migrating to socket activation"
1088-msgstr ""
1089-
1090-#. Type: error
1091-#. Description
1092-#: ../openssh-server.templates:3001
1093-msgid ""
1094-"This version of openssh-server uses socket-based activation by default. "
1095-"However, because you have more than one ListenAddress configured in "
1096-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1097-"to socket-based activation would cause the starting of sshd at boot to be "
1098-"unreliable."
1099-msgstr ""
1100-
1101-#. Type: error
1102-#. Description
1103-#: ../openssh-server.templates:3001
1104-msgid ""
1105-"Because a failure to start ssh may make it impossible to admininister a "
1106-"system, you will not be migrated to socket-based activation at this time."
1107-msgstr ""
1108diff --git a/debian/po/nl.po b/debian/po/nl.po
1109index eca9662..3afd617 100644
1110--- a/debian/po/nl.po
1111+++ b/debian/po/nl.po
1112@@ -7,7 +7,7 @@ msgid ""
1113 msgstr ""
1114 "Project-Id-Version: openssh\n"
1115 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1116-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1117+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1118 "PO-Revision-Date: 2014-10-03 23:54+0200\n"
1119 "Last-Translator: Frans Spiesschaert <Frans.Spiesschaert@yucom.be>\n"
1120 "Language-Team: Debian Dutch l10n Team <debian-l10n-dutch@lists.debian.org>\n"
1121@@ -58,28 +58,3 @@ msgstr ""
1122 "ingesteld werden vanuit de verwachting dat de systeembeheerder SSH kan "
1123 "gebruiken met authenticatie via wachtwoord. Enkel wanneer u dit laatste niet "
1124 "nodig heeft, zou u deze wijziging kunnen doorvoeren."
1125-
1126-#. Type: error
1127-#. Description
1128-#: ../openssh-server.templates:3001
1129-msgid "Not migrating to socket activation"
1130-msgstr ""
1131-
1132-#. Type: error
1133-#. Description
1134-#: ../openssh-server.templates:3001
1135-msgid ""
1136-"This version of openssh-server uses socket-based activation by default. "
1137-"However, because you have more than one ListenAddress configured in "
1138-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1139-"to socket-based activation would cause the starting of sshd at boot to be "
1140-"unreliable."
1141-msgstr ""
1142-
1143-#. Type: error
1144-#. Description
1145-#: ../openssh-server.templates:3001
1146-msgid ""
1147-"Because a failure to start ssh may make it impossible to admininister a "
1148-"system, you will not be migrated to socket-based activation at this time."
1149-msgstr ""
1150diff --git a/debian/po/pt.po b/debian/po/pt.po
1151index 8f51af9..2dab84c 100644
1152--- a/debian/po/pt.po
1153+++ b/debian/po/pt.po
1154@@ -7,7 +7,7 @@ msgid ""
1155 msgstr ""
1156 "Project-Id-Version: openssh 1:6.6p1-1\n"
1157 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1158-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1159+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1160 "PO-Revision-Date: 2014-03-21 21:13+0000\n"
1161 "Last-Translator: Américo Monteiro <a_monteiro@gmx.com>\n"
1162 "Language-Team: Portuguese <traduz@debianpt.org>\n"
1163@@ -57,28 +57,3 @@ msgstr ""
1164 "configurados com a expectativa de serem capazes de SSH como root usando "
1165 "autenticação por palavra-passe. Apenas deverá fazer esta alteração se não "
1166 "precisa de tal método de autenticação."
1167-
1168-#. Type: error
1169-#. Description
1170-#: ../openssh-server.templates:3001
1171-msgid "Not migrating to socket activation"
1172-msgstr ""
1173-
1174-#. Type: error
1175-#. Description
1176-#: ../openssh-server.templates:3001
1177-msgid ""
1178-"This version of openssh-server uses socket-based activation by default. "
1179-"However, because you have more than one ListenAddress configured in "
1180-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1181-"to socket-based activation would cause the starting of sshd at boot to be "
1182-"unreliable."
1183-msgstr ""
1184-
1185-#. Type: error
1186-#. Description
1187-#: ../openssh-server.templates:3001
1188-msgid ""
1189-"Because a failure to start ssh may make it impossible to admininister a "
1190-"system, you will not be migrated to socket-based activation at this time."
1191-msgstr ""
1192diff --git a/debian/po/pt_BR.po b/debian/po/pt_BR.po
1193index 98856bb..99b1182 100644
1194--- a/debian/po/pt_BR.po
1195+++ b/debian/po/pt_BR.po
1196@@ -8,7 +8,7 @@ msgid ""
1197 msgstr ""
1198 "Project-Id-Version: openssh\n"
1199 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1200-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1201+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1202 "PO-Revision-Date: 2014-11-23 23:49-0200\n"
1203 "Last-Translator: José de Figueiredo <deb.gnulinux@gmail.com>\n"
1204 "Language-Team: Brazilian Portuguese <debian-l10n-portuguese@lists.debian."
1205@@ -55,28 +55,3 @@ msgstr ""
1206 "Entretanto, ela pode quebrar sistemas que foram configurados com a "
1207 "expectativa de acesso SSH com root usando autenticação por senha. Você deve "
1208 "fazer esta mudança somente se você não precisa fazer isso."
1209-
1210-#. Type: error
1211-#. Description
1212-#: ../openssh-server.templates:3001
1213-msgid "Not migrating to socket activation"
1214-msgstr ""
1215-
1216-#. Type: error
1217-#. Description
1218-#: ../openssh-server.templates:3001
1219-msgid ""
1220-"This version of openssh-server uses socket-based activation by default. "
1221-"However, because you have more than one ListenAddress configured in "
1222-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1223-"to socket-based activation would cause the starting of sshd at boot to be "
1224-"unreliable."
1225-msgstr ""
1226-
1227-#. Type: error
1228-#. Description
1229-#: ../openssh-server.templates:3001
1230-msgid ""
1231-"Because a failure to start ssh may make it impossible to admininister a "
1232-"system, you will not be migrated to socket-based activation at this time."
1233-msgstr ""
1234diff --git a/debian/po/ru.po b/debian/po/ru.po
1235index 3fa193c..f2e1daf 100644
1236--- a/debian/po/ru.po
1237+++ b/debian/po/ru.po
1238@@ -6,7 +6,7 @@ msgid ""
1239 msgstr ""
1240 "Project-Id-Version: openssh 1:6.6p1-1\n"
1241 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1242-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1243+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1244 "PO-Revision-Date: 2014-03-22 10:04+0400\n"
1245 "Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
1246 "Language-Team: Russian <debian-l10n-russian@lists.debian.org>\n"
1247@@ -14,8 +14,8 @@ msgstr ""
1248 "MIME-Version: 1.0\n"
1249 "Content-Type: text/plain; charset=UTF-8\n"
1250 "Content-Transfer-Encoding: 8bit\n"
1251-"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
1252-"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
1253+"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
1254+"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
1255 "X-Generator: Lokalize 1.4\n"
1256
1257 #. Type: boolean
1258@@ -55,28 +55,3 @@ msgstr ""
1259 "атак). Однако, это вредит системам, в которых специально настроен вход для "
1260 "root по SSH с парольной аутентификацией. Если это не ваш случай, то ответьте "
1261 "утвердительно."
1262-
1263-#. Type: error
1264-#. Description
1265-#: ../openssh-server.templates:3001
1266-msgid "Not migrating to socket activation"
1267-msgstr ""
1268-
1269-#. Type: error
1270-#. Description
1271-#: ../openssh-server.templates:3001
1272-msgid ""
1273-"This version of openssh-server uses socket-based activation by default. "
1274-"However, because you have more than one ListenAddress configured in "
1275-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1276-"to socket-based activation would cause the starting of sshd at boot to be "
1277-"unreliable."
1278-msgstr ""
1279-
1280-#. Type: error
1281-#. Description
1282-#: ../openssh-server.templates:3001
1283-msgid ""
1284-"Because a failure to start ssh may make it impossible to admininister a "
1285-"system, you will not be migrated to socket-based activation at this time."
1286-msgstr ""
1287diff --git a/debian/po/sv.po b/debian/po/sv.po
1288index 296e611..278b0cc 100644
1289--- a/debian/po/sv.po
1290+++ b/debian/po/sv.po
1291@@ -8,7 +8,7 @@ msgid ""
1292 msgstr ""
1293 "Project-Id-Version: openssh\n"
1294 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1295-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1296+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1297 "PO-Revision-Date: 2014-03-21 21:36+0100\n"
1298 "Last-Translator: Andreas Rönnquist <gusnan@gusnan.se>\n"
1299 "Language-Team: Swedish\n"
1300@@ -56,28 +56,3 @@ msgstr ""
1301 "sådana angrepp). Dock så kan detta förstöra system som förväntas kunna "
1302 "använda SSH som root med hjälp av lösenordsautentisering. Du skall endast "
1303 "göra denna förändring om du inte har ett behov av att kunna göra detta."
1304-
1305-#. Type: error
1306-#. Description
1307-#: ../openssh-server.templates:3001
1308-msgid "Not migrating to socket activation"
1309-msgstr ""
1310-
1311-#. Type: error
1312-#. Description
1313-#: ../openssh-server.templates:3001
1314-msgid ""
1315-"This version of openssh-server uses socket-based activation by default. "
1316-"However, because you have more than one ListenAddress configured in "
1317-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1318-"to socket-based activation would cause the starting of sshd at boot to be "
1319-"unreliable."
1320-msgstr ""
1321-
1322-#. Type: error
1323-#. Description
1324-#: ../openssh-server.templates:3001
1325-msgid ""
1326-"Because a failure to start ssh may make it impossible to admininister a "
1327-"system, you will not be migrated to socket-based activation at this time."
1328-msgstr ""
1329diff --git a/debian/po/templates.pot b/debian/po/templates.pot
1330index c9dc5ba..47c9e36 100644
1331--- a/debian/po/templates.pot
1332+++ b/debian/po/templates.pot
1333@@ -1,6 +1,6 @@
1334 # SOME DESCRIPTIVE TITLE.
1335 # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
1336-# This file is distributed under the same license as the openssh package.
1337+# This file is distributed under the same license as the PACKAGE package.
1338 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
1339 #
1340 #, fuzzy
1341@@ -8,7 +8,7 @@ msgid ""
1342 msgstr ""
1343 "Project-Id-Version: openssh\n"
1344 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1345-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1346+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1347 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
1348 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
1349 "Language-Team: LANGUAGE <LL@li.org>\n"
1350@@ -44,28 +44,3 @@ msgid ""
1351 "able to SSH as root using password authentication. You should only make this "
1352 "change if you do not need to do that."
1353 msgstr ""
1354-
1355-#. Type: error
1356-#. Description
1357-#: ../openssh-server.templates:3001
1358-msgid "Not migrating to socket activation"
1359-msgstr ""
1360-
1361-#. Type: error
1362-#. Description
1363-#: ../openssh-server.templates:3001
1364-msgid ""
1365-"This version of openssh-server uses socket-based activation by default. "
1366-"However, because you have more than one ListenAddress configured in "
1367-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1368-"to socket-based activation would cause the starting of sshd at boot to be "
1369-"unreliable."
1370-msgstr ""
1371-
1372-#. Type: error
1373-#. Description
1374-#: ../openssh-server.templates:3001
1375-msgid ""
1376-"Because a failure to start ssh may make it impossible to admininister a "
1377-"system, you will not be migrated to socket-based activation at this time."
1378-msgstr ""
1379diff --git a/debian/po/tr.po b/debian/po/tr.po
1380index fd6bde5..1ada041 100644
1381--- a/debian/po/tr.po
1382+++ b/debian/po/tr.po
1383@@ -7,15 +7,15 @@ msgid ""
1384 msgstr ""
1385 "Project-Id-Version: openssh-server\n"
1386 "Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
1387-"POT-Creation-Date: 2022-09-23 19:34+0000\n"
1388+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
1389 "PO-Revision-Date: 2014-08-01 14:44+0200\n"
1390 "Last-Translator: Mert Dirik <mertdirik@gmail.com>\n"
1391 "Language-Team: Debian L10n Turkish <debian-l10n-turkish@lists.debian.org>\n"
1392-"Language: tr\n"
1393 "MIME-Version: 1.0\n"
1394 "Content-Type: text/plain; charset=UTF-8\n"
1395 "Content-Transfer-Encoding: 8bit\n"
1396 "X-Generator: Poedit 1.5.4\n"
1397+"Language: tr\n"
1398
1399 #. Type: boolean
1400 #. Description
1401@@ -56,28 +56,3 @@ msgstr ""
1402 "parola doğrulama yöntemiyle oturum açılabileceği varsayımıyla hareket eden "
1403 "sistemlerde eskiden çalışan düzenin bozulmasına sebep olacaktır. Bu "
1404 "değişikliği yalnızca sorun çıkarmayacağından eminseniz yapın."
1405-
1406-#. Type: error
1407-#. Description
1408-#: ../openssh-server.templates:3001
1409-msgid "Not migrating to socket activation"
1410-msgstr ""
1411-
1412-#. Type: error
1413-#. Description
1414-#: ../openssh-server.templates:3001
1415-msgid ""
1416-"This version of openssh-server uses socket-based activation by default. "
1417-"However, because you have more than one ListenAddress configured in "
1418-"sshd_config, it is impossible to determine at upgrade time if migrating you "
1419-"to socket-based activation would cause the starting of sshd at boot to be "
1420-"unreliable."
1421-msgstr ""
1422-
1423-#. Type: error
1424-#. Description
1425-#: ../openssh-server.templates:3001
1426-msgid ""
1427-"Because a failure to start ssh may make it impossible to admininister a "
1428-"system, you will not be migrated to socket-based activation at this time."
1429-msgstr ""
1430diff --git a/debian/rules b/debian/rules
1431index dff4713..54d82cb 100755
1432--- a/debian/rules
1433+++ b/debian/rules
1434@@ -1,6 +1,6 @@
1435 #!/usr/bin/make -f
1436
1437-export DEB_BUILD_MAINT_OPTIONS := hardening=+all
1438+export DEB_BUILD_MAINT_OPTIONS := hardening=+all optimize=+lto
1439
1440 include /usr/share/dpkg/default.mk
1441
1442diff --git a/debian/systemd/ssh.socket b/debian/systemd/ssh.socket
1443index 1de1280..69e93a0 100644
1444--- a/debian/systemd/ssh.socket
1445+++ b/debian/systemd/ssh.socket
1446@@ -1,11 +1,13 @@
1447 [Unit]
1448 Description=OpenBSD Secure Shell server socket
1449-Before=sockets.target
1450+Before=sockets.target ssh.service
1451 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
1452
1453 [Socket]
1454 ListenStream=22
1455 Accept=no
1456+FreeBind=yes
1457
1458 [Install]
1459 WantedBy=sockets.target
1460+RequiredBy=ssh.service
1461diff --git a/debian/tests/control b/debian/tests/control
1462index adef04c..dd8069d 100644
1463--- a/debian/tests/control
1464+++ b/debian/tests/control
1465@@ -15,3 +15,9 @@ Restrictions: needs-root allow-stderr
1466 Depends: openssh-client,
1467 openssh-server,
1468 systemd,
1469+
1470+Tests: sshd-socket-generator
1471+Restrictions: needs-root allow-stderr
1472+Depends: openssh-client,
1473+ openssh-server,
1474+ systemd,
1475diff --git a/debian/tests/sshd-socket-generator b/debian/tests/sshd-socket-generator
1476new file mode 100644
1477index 0000000..da6b4d6
1478--- /dev/null
1479+++ b/debian/tests/sshd-socket-generator
1480@@ -0,0 +1,105 @@
1481+#!/bin/bash
1482+
1483+test_default() (
1484+ set -xeuo pipefail
1485+
1486+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1487+
1488+ # Nothing should be generated in this case.
1489+ test ! -e "$testdir/ssh.socket.d"
1490+)
1491+
1492+test_custom_port() (
1493+ set -xeuo pipefail
1494+
1495+ echo "Port 1234" >> "$testconf"
1496+
1497+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1498+
1499+ grep -q "^ListenStream=1234" "$socket_override"
1500+)
1501+
1502+test_mutiple_custom_ports() (
1503+ set -xeuo pipefail
1504+
1505+ echo "Port 1234" >> "$testconf"
1506+ echo "Port 4321" >> "$testconf"
1507+
1508+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1509+
1510+ grep -q "^ListenStream=1234" "$socket_override"
1511+ grep -q "^ListenStream=4321" "$socket_override"
1512+)
1513+
1514+test_custom_listenaddress() (
1515+ set -xeuo pipefail
1516+
1517+ echo "ListenAddress 10.1.2.3" >> "$testconf"
1518+
1519+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1520+
1521+ grep -q "^ListenStream=10.1.2.3:22" "$socket_override"
1522+)
1523+
1524+test_custom_listenaddress_and_port() (
1525+ set -xeuo pipefail
1526+
1527+ echo "Port 1234" >> "$testconf"
1528+ echo "ListenAddress 10.1.2.3" >> "$testconf"
1529+
1530+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1531+
1532+ grep -q "^ListenStream=10.1.2.3:1234" "$socket_override"
1533+)
1534+
1535+test_custom_ipv6_listenaddress() (
1536+ set -xeuo pipefail
1537+
1538+ echo "ListenAddress 2001:db8:85a3::8a2e:370:7334" >> "$testconf"
1539+
1540+ /usr/lib/systemd/system-generators/sshd-socket-generator "$testdir"
1541+
1542+ grep -q "^ListenStream=\[2001:db8:85a3::8a2e:370:7334\]:22" "$socket_override"
1543+)
1544+
1545+tmpdir="$(mktemp -d)"
1546+testconf="/etc/ssh/sshd_config.d/test.conf"
1547+failed=
1548+
1549+mkdir -p /etc/ssh/sshd_config.d
1550+
1551+for test_fn in \
1552+ "test_default" \
1553+ "test_custom_port" \
1554+ "test_mutiple_custom_ports" \
1555+ "test_custom_listenaddress" \
1556+ "test_custom_listenaddress_and_port" \
1557+ "test_custom_ipv6_listenaddress"
1558+do
1559+ echo -n "$test_fn..."
1560+
1561+ testdir="${tmpdir}/${test_fn}"
1562+ socket_override="${testdir}/ssh.socket.d/addresses.conf"
1563+ mkdir -p "$testdir"
1564+
1565+ $test_fn > "${AUTOPKGTEST_ARTIFACTS}/${test_fn}.log" 2>&1
1566+ if [[ $? -eq 0 ]]; then
1567+ echo "PASS"
1568+ else
1569+ echo "FAIL"
1570+ failed="${failed:+$failed }$test_fn"
1571+ fi
1572+
1573+ >"$testconf"
1574+done
1575+
1576+if [[ -n "$failed" ]]; then
1577+ for t in $failed; do
1578+ echo "--------------------------------------------"
1579+ echo "FAIL: $t"
1580+ echo "--------------------------------------------"
1581+ cat "${AUTOPKGTEST_ARTIFACTS}/${t}.log"
1582+ done
1583+
1584+ exit 1
1585+fi

Subscribers

People subscribed via source and target branches